Another Look at Fraud
In my professional career as an auditor of community associations I have been involved in the investigation of approximately 20 embezzlements (embezzlement being one form of fraud, the most common form in the community association industry) over the years. Most frauds are not discovered by auditors, but are found based on internal reviews or tips from employees. Contrary to what many people believe, discovery of fraud is NOT the primary goal of an audit; the audit is intended to determine the (relative) accuracy of the association's financial statements. CPAs performing audits have an obligation to consider the possibility that fraud may exist in the performance of our procedures.
At the core of any form of fraud are three underlying factors referred to as the "Fraud Triangle."
-
Incentive to commit fraud
-
Opportunity to carry out the fraudulent act
-
Ability to rationalize fraud
The incentive to commit fraud is normally caused by personal financial pressures that can't be relieved by ordinary, legitimate means. Such pressures are often caused by divorce, health issues, bad investments, gambling, or addictions.
The opportunity to commit fraud exists where there are weaknesses in financial processes; internal controls over financial transactions.
Rationalization of fraudulent activity takes place where an individual thinks they are justified in taking money because they are underpaid or under-appreciated, or because it is for their family, or because it's just temporary and they intend to pay it back.
Exposure to fraud, or risk of fraud, differs depending on type of organizations and processes used.
-
Smaller, self- managed associations that depend on directors/members to process transactions have a higher degree of risk because there is usually no one reviewing the transactions. The association is completely dependent on the honesty of the member. Risk is reduced if an outside contractor performs some or all of the accounting function.
-
Larger, self-managed associations that employ staff usually have the issue that no more than one or two people are involved in the accounting process, so there is little, if any, segregation of duties, which is one of the cornerstones of strong internal controls. Use of outside lockbox and payroll services help reduce risk.
-
Associations that employee an outside management company enjoy some level of automatic protection against internal fraud risk. Most management companies have a sufficient number of staff in their employ that they can achieve an adequate segregation of duties. However, use of an outside management company exposes the association to risk of fraud at the management company level. Fortunately, that occurs very infrequently.
In all instances, the association should make sure that they have adequate insurance to mitigate losses. Consult with your HOA insurance specialist, as different kinds of insurance policies may be required depending on which of the three categories above that you fall into.
Regular review of association financial statements by a knowledgeable board or finance committee member is another action that limits ability by anyone to divert funds. Consistently late delivery of financial statements to the board or finance committee is another potential sign of problems. Make sure that the association gets an annual audit or review of financial statements. Even though those engagements are not specifically designed to detect fraud, discovery can occur during this process.
Weaknesses in internal financial controls cover a very wide range of activities, but there are a few generalizations that exist.
Money can be diverted from either the billing/cash receipts cycle or the purchase/cash disbursements cycle of financial transactions. One of the "tracks" that perpetrators often leave are "journal entries" in the general ledger to cover up funds diverted. Example - assessment payments received in the form of cash can be diverted, but a journal entry must be made to show the account as "paid" in the receivables listing. Reviewing general ledger accounts for cash, assessments receivable, and accounts payable should normally not show any general journal entries, as all entries to these accounts should come from billing journals, cash receipts journals, purchase journals, or cash disbursement journals. General journal entries in these accounts are a red flag.
Using an outside bank lockbox system is one of the best ways to reduce risk on the billings/cash receipts cycle of transactions, as it eliminates the most common methods of diverting funds.
Establishing a fake vendor, often with a name virtually identical to the name of a legitimate vendor, is one method perpetrators use to divert funds from the purchases/cash disbursements cycle.
The basic steps that an association or board member can take to protect themselves are:
-
Never sign blank checks or checks payable to "cash"
-
Control the blank check stock
-
Require dual signatures on checks
-
Demand and review monthly financial statements
-
Review monthly bank statements and bank reconciliations
-
Make sure you are familiar with all association vendors
-
Segregate financial duties as much as possible amongst staff/members
-
Use an outside collection service for delinquent assessments receivable
-
Consider using a bank lockbox system for collecting assessments
-
Consider using an outside payroll service
-
Consider using a professional management company
-
Maintain adequate D & O (Directors and Officers) and fidelity bond insurance
-
Insist on an annual audit, which requires the auditor to document and understand your internal control system. Such procedures are not required in a review of financial statements.
I've been asked many times to perform what is referred to as a forensic investigation where fraud is known or suspected. It is possible to do, but be advised that such an investigation can, and usually does, cost many times more than a traditional financial statement audit. The reason is that the normal concept of "materiality" that is part of audit or review engagements does not exist in a forensic investigation. Instead, the investigator must look at much lower levels of transactions than would be considered in a financial statement audit.
In addition, while a financial statement audit is relative predictable and can often be bid on a fixed fee basis, a forensic investigation is usually an hourly billing engagement, because you never know what you will encounter. As an example, I was once engaged to perform an investigation that was discovered by the business owner. He showed me what he discovered, but asked me to investigate further and determine the total losses. We discovered five additional schemes used by the employee to divert funds, and the amount was quite large.
In summary, the best way to deal with fraud is to avoid it completely. You do this by designing strong accounting controls where there are always checks and balances rather than reliance on a single individual, and review financial statements frequently using year to year and budget to actual comparisons to look for anomalies. And, last but not least, request an annual audit or review of the association's financial statements.